If you discover a security vulnerability, please report it by emailing josephburnett@fastmail.com.

• You can expect an acknowledgment within 7 days (best effort).
• Please include steps to reproduce and any relevant details.
• We ask for coordinated disclosure — please do not publish details before a fix is available.

Contributors who report valid vulnerabilities will be credited in the release notes (unless they prefer to remain anonymous).